Import Incident Activities to SIEM
You can import the incident activities in a compressed CSV file format and send them to SIEM.
The Skyhigh Cloud Connector can:
- Query the CSV file and send it to the SIEM.
- Expose the endpoint to invoke SIEM and pass the Incident ID or Date Range. These parameters are passed to SHNAPI to get the activity data and send it to the SIEM.
To import the incident /query activities to SIEM, run the following curl command:
curl -k -X POST \
'https://SKYHIGH CASB URL/shnapi/rest/external/api/v1/queryActivities'
-H 'content-type: application/json' \
-H 'Authorization: Basic AuthToken'\
-H 'Cookie:JSESSION ID=SessionNumber'\
-d '{ "incidentId": "incidentNumber","start_time: "yyyy-mm-dd","end_time": "yyyy-mm-dd"}'
//Response shows the list of column names in the CSV file format
NOTE: The Incident ID is a mandatory field. The Start time and End time are optional fields.
Example:
curl -k -X POST \ 'https://www.myshn.net/shnapi/rest/external/api/v1/queryActivities' -H 'content-type: application/json' \ -H 'Authorization: Basic c2hpdmFzYWkxMzkzNEBnbWFpbC5jb206QWJjZF8xMjM0NTY3OA=='\ -H 'Cookie:JSESSION ID= C04B1336A0FEFFA0A5C3C45B6B6B7602.shnapi-08ce8b66c61bc873b'\ -d '{ "incidentId": "469","start_time: "2020-10-29","end_time": "2020-11-03"}' //Response shows the list of column names in the CSV file format timestamp,accountId,actionName,asn,asnName,city,clientCategory,clientName, clientOS,collabGroup,collabGroupAndTarget,count,country,cspId,deviceManaged, directory,downloadBytes,eventCount,fileFolderPath,fileName,fileOwner,fileSharingEnabled, fileSize,fileType,geoOrgNameV1,httpMethod,instanceId,isSourceTrusted, locationId,monitoringStatusMetric,networkType,noOfObjects,objectType, operation,profile,proxyDescription,proxyServerTime,proxyTotalTime,proxyType, region,serviceName,shnProcessTimestamp,siteUrl,sourceIP,sourceIdentifier, subCspId,targetId,targetType,tenantId,threatCategory,trustEntity,trustReason, uploadBytes,url,user,userCount